Many of the trusted execution problems I see are caused by folks signing their product using the --deep option. While that can work in some circumstances, I generally recommend against it. There are two issues with --deep:
-
It applies the same code signing options to every code item that it signs, something that’s not appropriate in general. For example, you might have an app containing a nested command-line tool, where the app and the tool need different entitlements. The
--deepoption will apply the same entitlements to both, which is a serious mistake. -
It only signs code that it can find, and it only finds code in nested code sites. If you put code in a place where the system is expecting to find data,
--deepwon’t sign it.
The first issue is fundamental to how --deep works, and is the main reason you should not use it. Indeed, on macOS it may cause the trusted execution system to block your program from running. For the details, see the Check for Entitlements on Library Code section of Resolving Library Loading Problems.
The second issue is only a problem if you don’t follow the rules for nesting code and data within a bundle, as documented in Placing Content in a Bundle. However, my experience is that the products that don’t follow those rules are exactly the same sort of products that try to use --deep.
The alternative to --deep is to sign each code item separately, from the inside out. If your product has lots of nested code, automate this using a script.
Note One exception to the prohibition on --deep is Automator apps. If you’re signing an Automator app, see this DevForums post.
For detailed information on how to correctly sign and package Mac software, see Creating Distribution-Signed Code for Mac and Packaging Mac Software for Distribution.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Revision history:
-
2022-06-14 Added a link to Resolving Library Loading Problems. Replaced the link to Signing a Mac Product For Distribution with a link to Creating Distribution-Signed Code for Mac. Made other minor editorial changes.
-
2021-10-21 Replaced the nested code reference with one to Placing Content in a Bundle. Minor editorial changes.
-
2020-09-15 Adopted the correct terminology for Automator apps.
-
2020-03-09 First version.
